Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft
Threat actors associated with the Cl0p ransomware group have exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to facilitate large-scale data theft attacks. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. According to Mandiant CTO Charles Carmakal, Cl0p exploited multiple vulnerabilities in Oracle EBS, including those patched in Oracle's July 2025 update and the newly addressed CVE-2025-61882, to steal significant amounts of data from several organizations in August 2025. The attacks highlight the persistent threat posed by ransomware groups leveraging both known and unknown vulnerabilities to breach enterprise systems. Oracle responded by releasing a patch for CVE-2025-61882, but the incident underscores the importance of timely patch management, as some exploited vulnerabilities had been addressed in previous updates. The exploitation campaign demonstrates Cl0p's technical sophistication and ability to chain multiple vulnerabilities for maximum impact. Victims of these attacks faced the risk of sensitive data exfiltration, with the potential for extortion or public leaks. The incident has raised concerns about the security of widely deployed enterprise resource planning (ERP) platforms, especially those exposed to the internet. Security experts recommend organizations using Oracle EBS urgently apply all relevant patches and review their exposure to internet-facing components. The attacks also serve as a warning about the increasing trend of ransomware groups targeting business-critical applications rather than just endpoints. The campaign has prompted renewed calls for organizations to enhance monitoring, implement network segmentation, and restrict unnecessary external access to ERP systems. The Cl0p group's activity in this case is part of a broader pattern of ransomware operators exploiting high-impact vulnerabilities for data theft and extortion. The incident has been widely discussed in the cybersecurity community as a case study in the risks of delayed patching and the evolving tactics of financially motivated threat actors. Organizations are urged to coordinate with their security vendors and incident response teams to assess potential exposure and strengthen their defenses against similar attacks. The Oracle EBS zero-day exploitation by Cl0p is a stark reminder of the need for continuous vulnerability management and proactive threat intelligence sharing across the industry.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Cl0p exploits Oracle E-Business Suite zero-day for data theft
The Cl0p ransomware group was reported exploiting Oracle E-Business Suite zero-day CVE-2025-61882, leading to substantial data theft. The incident highlighted continued ransomware interest in enterprise application vulnerabilities.
SORVEPOTEL WhatsApp worm emerges in Brazil
A self-propagating malware campaign named SORVEPOTEL was reported spreading through WhatsApp in Brazil. Its worm-like behavior made it a notable escalation in mobile and messaging-platform threats.
Detour Dog uses compromised WordPress sites to spread Strela Stealer
A malware campaign known as Detour Dog was reported leveraging hacked WordPress websites to distribute Strela Stealer. The operation showed continued abuse of legitimate web infrastructure for credential theft and malware delivery.
Dutch teens are arrested over Russian espionage case
Authorities arrested Dutch teenagers in connection with Russian espionage activity. The arrests represented a notable counterintelligence and law-enforcement action during the reporting period.
Chinese national is convicted in record crypto fraud case
Law enforcement secured the conviction of a Chinese national in what was described as a record-setting cryptocurrency fraud case. The case was highlighted as a major enforcement development in cyber-enabled financial crime.
Co-op reports significant financial losses from cyberattack
Co-op was reported to have suffered major financial losses tied to a cyberattack. The incident highlighted the longer-term commercial consequences of disruptive cyber events.
Asahi halts services following a cyberattack
Asahi was reported to have suspended services as a result of a cyberattack. The operational disruption illustrated the business impact of attacks beyond data theft alone.
Harrods is reported as impacted by a major cyber incident
Harrods was identified in the roundup as a victim of a significant cyber incident. Its inclusion underscored the breadth of high-profile organizations affected during the period.
WestJet is reported as affected by a cyber incident
WestJet was listed among organizations hit by a significant cyber incident. The event was included as part of the week's major breach and ransomware developments.
Allianz Life suffers a data breach incident
Allianz Life was named as a victim in a significant data breach reported in the newsletter roundup. The disclosure added to a series of major corporate security incidents covered that week.
Red Hat discloses a security incident
Red Hat was identified among organizations affected by a security incident during the reporting period. The references treat it as a notable enterprise breach development amid broader cyber activity.
OpenSSL, Apple, and Broadcom release security patches
Vendors including OpenSSL, Apple, and Broadcom issued patches for significant vulnerabilities and urged users to update. The fixes were presented as important mitigations against active or high-risk security issues.
CISA adds multiple vulnerabilities to the KEV catalog
The U.S. Cybersecurity and Infrastructure Security Agency added several vulnerabilities to its Known Exploited Vulnerabilities catalog. The action signaled active exploitation in the wild and increased urgency for federal and private-sector patching.
Scans targeting Palo Alto Networks portals surge 500%
Security monitoring identified a 500% increase in scanning activity aimed at Palo Alto Networks portals. The spike suggested heightened attacker interest in exposed edge infrastructure and possible pre-exploitation reconnaissance.
ProSpy and ToSpy spyware campaigns target UAE users
Researchers disclosed Android spyware campaigns dubbed ProSpy and ToSpy aimed at users in the United Arab Emirates. The campaigns were identified as part of a broader wave of mobile-focused surveillance activity.
Phantom Taurus targets government and military entities with Net-Star malware
China-linked APT Phantom Taurus was reported targeting government and military organizations in Africa, the Middle East, and Asia using custom malware including Net-Star. The activity marked a notable nation-state espionage campaign highlighted across the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft and Extortion
The Cl0p ransomware group orchestrated a significant cyber extortion campaign by exploiting multiple vulnerabilities in Oracle E-Business Suite (EBS), including a previously unknown zero-day flaw tracked as CVE-2025-61882. According to reports, Cl0p leveraged these vulnerabilities to gain unauthorized access to EBS environments and exfiltrate large volumes of sensitive data from several organizations in August 2025. Security researchers, including Charles Carmakal, CTO at Mandiant, and CrowdStrike, confirmed that the attacks began on August 9, 2025, and were part of a coordinated effort targeting Oracle EBS customers. The attackers used the zero-day vulnerability to bypass security controls and escalate privileges within the affected systems, enabling them to steal confidential business information and customer data. The stolen data was then used as leverage in extortion attempts, with Cl0p threatening to publicly release or sell the information unless ransom demands were met. The campaign demonstrated a high level of sophistication, as Cl0p combined the exploitation of the zero-day with other known vulnerabilities to maximize their access and impact. Security advisories highlighted the critical nature of CVE-2025-61882, urging organizations to apply patches and implement additional security measures to protect their Oracle EBS deployments. The incident underscored the ongoing threat posed by ransomware groups exploiting enterprise software vulnerabilities, particularly those that remain unpatched or are not widely known. Oracle customers were advised to review their security posture, monitor for signs of compromise, and engage in threat hunting activities to detect potential intrusions. The attacks also prompted discussions about the importance of timely vulnerability disclosure and patch management in reducing the risk of large-scale data breaches. Industry experts noted that the Cl0p campaign was part of a broader trend of ransomware actors targeting business-critical applications to maximize extortion pressure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the Oracle EBS zero-day to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of remediation. Organizations impacted by the breach faced significant operational and reputational risks, as well as potential regulatory consequences due to the exposure of sensitive data. The incident served as a stark reminder for enterprises to prioritize the security of their ERP systems and to stay vigilant against evolving ransomware tactics. Security vendors and incident response teams collaborated to share indicators of compromise and mitigation strategies, aiming to limit the spread and impact of the Cl0p campaign. The exploitation of Oracle EBS by Cl0p highlighted the persistent threat of zero-day attacks and the need for robust, layered defenses in enterprise environments.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited by Cl0p in Mass Extortion Campaign
Cl0p ransomware operators launched a widespread extortion campaign targeting Oracle E-Business Suite (EBS) customers by exploiting a previously unknown zero-day vulnerability, later assigned CVE-2024-61882. The campaign began as early as July or August, with Google's threat intelligence team tracking the exploitation weeks before Oracle became aware of the issue. Attackers leveraged the vulnerability to gain unauthorized access to EBS environments, deploying sophisticated multi-stage Java-based implants such as GOLDVEIN, SAGEGIFT, and SAGEWAVE. These implants operated entirely in memory, making detection difficult, and communicated with command-and-control servers using traffic disguised as legitimate TLS handshakes. The payloads were stored directly in the EBS database, and attackers used compromised third-party email services to facilitate their operations. Once data was exfiltrated, Cl0p initiated mass extortion by sending emails to executives, threatening to release stolen information unless a ransom was paid. The attack pattern mirrored previous Cl0p campaigns, notably the MOVEit mass exploitation, indicating a strategic focus on widely used enterprise applications. Oracle responded by releasing emergency patches on October 4th, but by that time, many organizations had already suffered breaches and data theft. The campaign highlighted the risks associated with delayed vulnerability disclosure and patching in critical business applications. Security researchers emphasized the technical sophistication of the implants, which were designed to evade traditional endpoint detection and response (EDR) solutions. The incident underscored the importance of proactive threat intelligence and rapid patch management for organizations relying on Oracle EBS. Industry observers noted that the campaign's scale and impact were significant, with numerous enterprises affected globally. The use of in-memory implants and stealthy C2 communications represented an evolution in Cl0p's tactics, making incident response and forensic analysis more challenging. The attack also raised concerns about the security of third-party integrations and the broader supply chain within enterprise environments. Oracle's emergency response included not only patches but also guidance for detecting signs of compromise and mitigating further risk. The event served as a stark reminder of the persistent threat posed by ransomware groups targeting high-value enterprise software platforms. Organizations were urged to review their security posture, monitor for unusual activity in EBS environments, and apply patches without delay. The campaign's exposure prompted renewed calls for improved collaboration between software vendors, threat intelligence teams, and end users to reduce the window of opportunity for attackers.
Mar 21, 2026
Critical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
Mar 21, 2026